IdAM: Identity and Access Management in Team Defence
The UK Council for Electronic Business is actively pursuing joint work in federated Identity and Access Management across Team Defence. Here, Carl Billson of UKCeB explains the context, benefits and opportunities associated with IdAM.
‘On the Internet, nobody knows you’re a dog’ is the caption from an iconic magazine cartoon from 20 years ago, featuring a dog, seated a computer, making this remark to his canine friend. We value the competitive advantage from working digitally. Realising that means we need to be confident that the online representation of a person is tied directly to their real-world identity.
A Ministry of Defence strategy paper from 2010 ‘Defence Identity and Access Management Strategy 2010 – A sub-strategy of the MOD Information Strategy’ (known as MODIS 2009) describes Identity and Access Management (IdAM) as an ‘integrated set of policies, processes, standards and technologies that creates and manages digital identities and associated access privileges’. It adds that credentials such as smart cards and security tokens are used as part of establishing identities for controlled access to resources.
The MOD vision in this paper is for a federated IdAM capability that provides trust in identity across the MOD and its partners throughout operational, support and business areas. An example of what this means in practice is Single Sign-On to IT systems both within an organisation and its partner organisations.
Within the MOD, the CIO takes a lead for IdAM and is a contributor to the pan-Government policies where IdAM is integral to achieving greater levels of ‘joined-up’ Citizen IT. There are equivalent programmes in other governments, such as FICAM (Federal Identity, Credential and Access Management) in the US.
One key part of all these programmes is creating a digital credential, the equivalent of the ID card we use for physical access. One technology that is used in this area is PKI. Digital PKI certificates provide a mechanism for an individual to authenticate in an assured manner. Trust in these certificates can be extended to other organisations through ‘trust hubs’ such as the US Federal Bridge and the Certipath commercial bridge.
Many governments and large corporations are investing in this technology. Some of them have joined together in the Transglobal Secure Collaboration Program (TSCP) to form a ‘government-industry partnership concerned with mitigating risks related to compliance, complexity, cost and IT inherent in large-scale and collaborative programmes that span national jurisdictions’. TSCP has published specifications and guidance that addresses a second challenge: providing information to a system so that it can control the scope of access that a user is permitted. This work addresses the complex requirements of export control and intellectual property protection through the exchange of identity assertions that describe user access privileges.
UKCeB has an ongoing series of IdAM workshops where members are involved in issues such as scenarios, policies, architectures and engagement of Small and Medium-sized Enterprises. UKCeB and the MOD have joint work planned for 2013. If you wish to learn from, contribute to and benefit from these activities around IdAM, please contact the UKCeB via its website.